Splunk Search

Why is the chart only valuing 15% above calculated average response?

Communicator

I've created a chart that only shows run times above a 60 day average and it's corresponding average, which works perfectly. However, now my users are looking to narrow these to occurrences that are 15% and higher than said average, evidently it's too difficult to look at the numbers I am already presenting. Any suggestions based on my existing search I have working?

index=global_foo sourcetype=prd_global_bar_log firm_name="*" start_time="*" firm_number="*"
| strcat firm_name " - Firm Number:  " firm_number AS Firm
| bin _time span=60d 
| eventstats avg(duration_minutes) as avg_time by Firm
| where duration_minutes > avg_time 
| eval date_wday_new=if(date_wday="sunday","1. Sunday",if(date_wday="monday","2. Monday",if(date_wday="tuesday","3. Tuesday",if(date_wday="wednesday","4. Wednesday",if(date_wday="thursday","5. Thursday",if(date_wday="friday","6. Friday",if(date_wday="saturday","7. Saturday","unknown"))))))) 
| chart values(duration_minutes) as run_time by Firm date_wday_new 
| appendcols 
    [ search index=global_foo sourcetype=prd_global_bar_log firm_name="*" start_time="*" firm_number="*"
    | stats avg(duration_minutes) as Average by firm_name] 
0 Karma
1 Solution

SplunkTrust
SplunkTrust

@fisuser1,
If you just want to calculate the percentage, try this

index=global_foo sourcetype=prd_global_bar_log firm_name="" start_time="" firm_number=""
| strcat firm_name " - Firm Number: " firm_number AS Firm
| bin _time span=60d 
| eventstats avg(duration_minutes) as avg_time by Firm
| perc_of_change=round(((duration_minutes-avg_time)/duration_minutes)*100,2)
| where perc_of_change > 15 
|"other searche terms"

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

@fisuser1,
If you just want to calculate the percentage, try this

index=global_foo sourcetype=prd_global_bar_log firm_name="" start_time="" firm_number=""
| strcat firm_name " - Firm Number: " firm_number AS Firm
| bin _time span=60d 
| eventstats avg(duration_minutes) as avg_time by Firm
| perc_of_change=round(((duration_minutes-avg_time)/duration_minutes)*100,2)
| where perc_of_change > 15 
|"other searche terms"

View solution in original post

0 Karma

Communicator

this worked, thank you. @renjith.nair, please copy your suggestion into the answers section, I will so you get credit.

Here's the final result.

index=globalfoo sourcetype=prdglobalbarlog firmname="" starttime="" firmnumber=""
| strcat firm
name " - Firm Number: " firmnumber AS Firm
| bin _time span=60d
| eventstats avg(duration
minutes) as avgtime by Firm
| eval perc
ofchange=round(((durationminutes-avgtime)/durationminutes)100,2)
| where percofchange > 15
| eval datewdaynew=if(datewday="sunday","1. Sunday",if(datewday="monday","2. Monday",if(datewday="tuesday","3. Tuesday",if(datewday="wednesday","4. Wednesday",if(datewday="thursday","5. Thursday",if(datewday="friday","6. Friday",if(datewday="saturday","7. Saturday","unknown")))))))
| chart values(duration
minutes) as runtime by Firm datewdaynew
| appendcols
[ index=global
foo sourcetype=prdglobalbarlog firmname="" starttime="" firmnumber=""
| strcat firmname " - Firm Number: " firmnumber AS Firm
| bin time span=60d
| eventstats avg(duration
minutes) as avgtime by Firm
| eval perc
ofchange=round(((durationminutes-avgtime)/durationminutes)
100,2)
| where percofchange > 15
| stats first(avgtime) as Average by Firm]
| rename "2. Monday" as Monday
| rename "3. Tuesday" as Tuesday
| rename "4. Wednesday" as Wednesday
| rename "5. Thursday" as Thursday
| rename "6. Friday" as Friday
| fields - firm
name
| fillnull value="."

SplunkTrust
SplunkTrust

@fisuser1, glad to know 🙂